About the SO PIN
The Security Officer PIN (SO PIN) is a string of at least four characters that the cluster administrator must supply to perform certain operations that modify the PKCS#11 file or KMIP store.
How the SO PIN Is Used
- Rekeying the common or core KEK keys.
- Setting a new client certificate to replace an expired certificate.
- Configuring KMIP IP addresses.
- The SO PIN prevents unauthorized configuration changes to the PKCS#11 store.
- The cluster admin does not need to use the SO PIN directly, but it is a best practice to change it to something other than the default value.
- You must provide the SO PIN only during an
mrhsm rekey
operation.mrhsm rekey
creates a new Core KEK, which is used to encrypt the CLDB key and DARE key. - The SO PIN becomes more useful if the cluster is later reconfigured to use an external KMIP keystore.
Specifying the SO PIN
The SO PIN is configured during the initial invocation of configure.sh
after you specify the -hsmsopin <so-pin>
parameter. See configure.sh. The PIN you specify can be 4-255 characters. All
characters are allowed, including combinations of alphabetic, numeric, and special
characters.
Default SO PIN
For a new installation of a release 7.0.0 or later Data Fabric cluster, the
default SO PIN is 1234 unless you specify the SO PIN after you use
configure.sh
.
Changing the SO PIN
mrhsm sopin
command. The command requires
you to specify the old (current) and new SO PIN values. For
example:# mrhsm sopin
Current SO PIN: ****
Enter new SO PIN (4-255 characters): ****
Please reenter new SO PIN: ****
New SO PIN is set successfully
If You Lose the SO PIN
Losing or forgetting the SO PIN does not affect normal cluster operations but prevents certain KMIP configuration changes. See FAQ #2 in Frequently Asked Questions.
Upgrading and the SO PIN
By default, the Data Fabric software
initializes mrhsm
using the same default hsm label and SO PIN as done
during a new release 7.0.0 installation (if mrhsm
has not already been
initialized). You can change default values by specifying -hsmlabel
<label>
and -hsmsopin <so-pin>
options in
configure.sh
. See Upgrade Notes (Release 7.9).